Редагувати

Поділитися через


Assign access to workload owners

When you onboard your AWS or GCP environments, Defender for Cloud automatically creates a security connector as an Azure resource inside the connected subscription and resource group. Defender for cloud also creates the identity provider as an IAM role it requires during the onboarding process.

Assign permission to users, on specific security connectors, below the parent connector? Yes, you can. You need to determine to which AWS accounts or GCP projects you want users to have access to. Meaning, you need to identify the security connectors that correspond to the AWS account or GCP project to which you want to assign users access.

Prerequisites

Configure permissions on the security connector

Permissions for security connectors are managed through Azure role-based access control (RBAC). You can assign roles to users, groups, and applications at a subscription, resource group, or resource level.

  1. Sign in to the Azure portal.

  2. Navigate to Microsoft Defender for Cloud > Environment settings.

  3. Locate the relevant AWS or GCP connector.

  4. Assign permissions to the workload owners with All resources or the Azure Resource Graph option in the Azure portal.

    1. Search for and select All resources.

      Screenshot that shows you how to search for and select all resources.

    2. Select Manage view > Show hidden types.

      Screenshot that shows you where on the screen to find the show hidden types option.

    3. Select the Types equals all filter.

    4. Enter securityconnector in the value field and add a check to the microsoft.security/securityconnectors.

      Screenshot that shows where the field is located and where to enter the value on the screen.

    5. Select Apply.

    6. Select the relevant resource connector.

  5. Select Access control (IAM).

    Screenshot that shows where to select Access control IAM in the resource you selected.

  6. Select +Add > Add role assignment.

  7. Select the desired role.

  8. Select Next.

  9. Select + Select members.

    Screenshot that shows where the button is on the screen to select the + select members button.

  10. Search for and select the relevant user or group.

  11. Select the Select button.

  12. Select Next.

  13. Select Review + assign.

  14. Review the information.

  15. Select Review + assign.

After setting the permission for the security connector, the workload owners will be able to view recommendations in Defender for Cloud for the AWS and GCP resources that are associated with the security connector.

Next step